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SYSTEM AND METHOD FOR DETECTION AND LOCATION OF 
ROGUE WIRELESS ACCESS USERS IN A COMPUTER NETWORK 



Field of the invention 

[0001] The present invention relates to methods to computer networks. 
[0002] In particular, this invention relates to a method to detect and locate a 
rogue wireless access user to a computer network. 



Baclcground of the invention 
[0003] Wireless computer networks have grown in recent years not only for 
business enterprise environments but also for the small office / home office, 
universities and even cafes. The wireless local area networks (WLAN) 
make it very convenient for users to access infonnation in a computer 
network, whether for work or recreation. 

10004] A WLAN makes use of wireless access points (AP) to send and 
receive signals to connect computers wirelessly to a central computer or 
server. Organizations provide WLANs to facilitate their employees, 
business partners, students or customers to access their servers. 
[0005] However, unlike a wired local area network (LAN) where access 
means that a user's computer has to be physically connected to a network 
socket via a wire or cable, access to wireless LANs only require a user to 
have a wireless access card on his computer for access to the network. 
[0006] This wireless access card may also be present as an in-built 
capability In computers and other wireless computing devices such as 
personal digital assistants (PDAs), tablet computers, mobile telephones and 
combination devices with features of these wireless computing devices. 
[0007] In a WLAN deployment, while servers and access points have native 
security measures, these may not be sufficiently or property enabled due to 



wo 2005/041040 



PCT/SG2OO4/0O0255 



2 

ignorance, or are intentionally circumvented by users who desire faster 
access to the network. 

[oooq Numerous methods and devices to restrict access to a WLAN to 
authorized users only abound. However, when an unauthorized or rogue 
user is detected, existing methods and devices of the prior art are not able 
to detect the geographical location of these rogue users. 
[0009] To detect rogue users, the techniques of the prior art may use a 
wireless monitoring device that stores Media Access Control (MAC) 
addresses of users to compare the device number of each access point 
used against a list of authorized APs. This infomiatlon may be correlated 
to Received Signal Strength Indicator values so as to give an idea of the 
distance the rogue user is from an AP of the networi<. However, 
determining and geographically locating the AP In question more precisely 
is not possible with the methods of the prior art. 
[00101 To locate any rogue users In the networi?, a person has to use 
another device, a customized receiver with a directional antenna. This 
device is brought to the area where the rogue user is suspected to be in, to 
"home in" on his signals. Such a device mfiy be couple to a Global 
Positioning System device as is taught by WO02/089507 (Younis). 
[0011] Another Invention uses a time acquisition unit to detemiine the 
distance of a mobile temilnal from an AP (WO03/046600, Dietrich and 
Kraemer). Yet another Invention (US2003023876, Bardsley), conelates 
networic and Intrusion Infonnation to find the physical connection port into 
the protected device rather than the geographical location of the rogue 
user. 

[0012] However, all these inventions cannot detect and locate the rogue 
user without having to physically be on the ground, in the area covered by 
the WLAN. As such, these methods of the prior art are limited by requiring a 
human to physically patrol the area with a receiver to locate rogue users. 
Therefore, a method of detecting and detennining the geographical location 
of unauthorized or rogue access users without having to be physically on 
the ground, will add an extra layer of protection to critical networic, resources 
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without having to incur high costs, especially in human resources. Such an 
invention will be welcome to address this deficiency in the prior art. 

Summary of the Invention 
[0013] The present invention seeks to provide a system and method against 
unauthorized, rogue users of a computer system. 
[0014] Accordingly, in one aspect, the present invention provides a method 
to detect and geographically locate a rogue user wireiessiy accessing a 
computer network, the method comprising: 
deploying at least one Network Management System program; 
mapping a geographical area covered by the wireless computer network 
into at least one island; 

measuring at least one network performance parameter for each island to 
obtain a spatial performance model; 

deriving a perfomiance index for each Island based on the at least one 
perfonnance parameter; 

identifying a potential rogue user based at least on his Media Access 
Control (MAC) address and Internet Protocol (IP) address; 
measuring at least one performance parameter of the potential rogue user, 
deriving at least one perfomiance index for the potential rogue user, 
detemiining location of the potential rogue user by comparing the 
performance index of the potential rogue user with historical, average 
perfomiance Indices of each Island pertinent to the cun-ent time of 
detection; and effecting at least one network security measure against the 
rogue user. 

[0015] In another aspect, the present invention provides a system to detect 

and geographically locate a rogue user wireiessiy accessing a computer 

networt^, the system comprising: 

a computer networi< with at least one wireless access point, 

at least one processor, 

at leasta network management system, 

at least one storage means, and 
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at least one implementation of the algorithm of the present invention, 
wherein the rogue user is able to be geographically located without having 
the computer network's user having to be physically in the vicinity of the 
rogue user. 

Brief Description of the Drawings 
looiei A prefen^ed embodiment of the present invention will now be more 
fully described, by way of example, with reference to the drawings of which: 
[00171 FIC3. 1 is the overall flowchart of how the present invention worlds. 
I0018J FIG. 2 shows the islands around a wireless access point with similar 
netwoit performance characteristics. 

ipois] FIG. 3 is a more detailed flowchart showing how the algorithm of the 
present invention works in one embodiment of the invention. 
p)020] FIG. 4 is a more detailed flowchart showing how the algorithm of the 
present invention works in another embodiment of the inventfon. 

Detailed Description of the Drawings 
[0021] The invention will now be described, in the following description, 
details are provWed to describe the prefemed embodiment. It shall be 
apparent to one skilled in the art, however, that the invention may be 
practiced without such details. Some of these details may not be described 
at length so as not to obscure the invention. 

[0022] There are many advantages of the preferred embodiment of the 
invention. The advantages of the preferred embodiment include allowing 
the networi^ administrators using the invention to monitor, detect and locate 
rogue users speedily in the wireless networks without leaving his desk. 
When a rogue user Is detected, security measures may be taken against 
him. When repeat offenders are located after being wamed, they may be 
prosecuted according to the applicable laws of the country concerned. 
[0023] The present invention provides a method and a system using 
networi< performance information to detect and geographically locate rogue 
users in a wireless computer networi^. 
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[00241 The overall strategy of the present invention is illustrated in FIG. 1. 
First, a commercially-available Network Management System (NMS) is 
deployed 101 to establish the spatial performance model 102 for a WLAN. 
This is done by collecting and mapping out the performance characteristics 
of wireless computers in various spots or islands, Identified by their 
respective position indices (eg 1, 2, 3, 4, 6, etc in FIG. 2), in the area 
covered by the wireless access points (APs) of that network- This area is 
typically in buildings and the sun-ounding areas where genuine, authorized 
users may log on v\nrelessiy Into the networi<. and where rogue users may 
intermingle and hide in plain sight while connecting to the WLAN. Also of 
interest will be hidden areas such as blind corners and stainfl^ells where 
rogue users may favour. 

[0025] The mapping may be ad hoc, that is, as and when users log on In 
various known, pre-identified, areas for wireless access such as a 
dedkjated lounge for "hot desking" wori<ers or university cafeteria with APs 
for students. Altematively, the mapping may be systematic, that is, a 
member of the Information technology office staff may position himself at 
each pre-identified or predetermined island or spot, log on wirelessly with a 
computer or a suitable wireless computing device, and allow the 
performance characteristic of his computer or device to be captured for 
each spot or Island. 

I002g Thereafter, the perfomance characteristic of each spot or island (as 
identified by their respective position index) may continually be captured 
and monitored at fixed intervals throughout the day. As such, this 
infomiation Is dynamically updated at these time intervals by the deployed 
Networi< Management System (NMS) used by the networi^. Under the 
present invention, the perfomiance characteristic of each spot is the 
aggregate of the measured values of various networi< performance 
parameters for that spot or island. As the peribrmance of the wireless 
network changes through the day depending on the number of users 
accessing the system, these spots or Islands may also be dynamically 
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changed and updated, grouped according to substantially similar 
performance characteristics at each particular point In time. 
10027] The idea is, when a suspected rogue user is detected 103 based on 
his Media Access Control (MAC) and Internet Protocol (IP) addresses, an 
algorithm, an element of the present invention, may be used to locate him 
using the perfonnance characteristic 104 of his computer at a spot which 
has been mapped to position indices 105 in the surrounding area. 
[00281 A variety of security measures may then be taken, ranging from 
merely logging his particulars in an audit trail 106 or displaying his most 
probable location 107, to preferentially denying him access the next time, to 
prosecuting him according the prevailing laws of that jurisdiction. 
[0029] Thus, the spatial performance model of the present invention links 
the perfonnance characteristic of each island with their location. In other 
words, the spatial perfonnance model Is used to identHy the location of a 
rogue user by his computer's networi? perfomnance characteristics. 
IP030] To establish the spatial perfonnance model for a particular WLAN, 
any suitable, commercially available NMS software may be deployed (101, 
FIG. 1) and used. These programs are able to collect and show the MAC 
and IP addresses of computers and access points logged into the network 
as well as other peribnnance characteristics of each wireless connection to 
the network. 

[0031] Each "layer" of the networi< system has perfonnance parameters 
whose values varies in accordance with the following variables such as 
distance from access point, number of wireless users, network topology, 
building materials used, and time of day. These peribnnance parameters 
may be used for the detennlnation of geographical location of rogue user. 
mm VVith reference to the Open System Interxwnnection (OSI) reference 
model for data communications, at the physical layer, the signal strength 
and signal-to-nolse ratio may be used. At the networi< layer, "ping" 
response time and propagation delay times may be used. At the application 
layer level, the transaction response and delay times may be used. At the 
data link layer, tiie link utilization, packet rate, number of enror packets and 
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throughput rate may be used as performance parameters. These 
parameters are merely examples of measurements that may be used and 
the present invention Is of course not limited to use of only these 
parameters. 

IP033] Now, as the distance of a user's computer.from a wireless access 
point (AP) increases, the network performance pertaining to that user's 
computer decreases. Deterioration in network perfonnance Is also affected 
by building structures that reduce the transmission strength of the signals. 
10034] Thus, a unique map of the area of coverage by the WLAN may be 
plotted using at least one perfonnance parameter or characteristic. The 
model may also be presented with the performance characteristics 
represented as a derived index value. Of course, the more parameters 
measured and represented, the better. This map is illustrative of the spatial 
perfonnance model. The diagram below shows the various spots or islands 
around a wireless access point 200 Identified by their respective position 
indices in the map sharing the same performance characteristics at a 
particular time period of the day (FIG. 2 and also below). It will be 
appreciated that this mapping of the Islands or spots in the area covered 
may be dynamic and the mapping is updated as the perfonnance 
characteristics of the Islands or spots change. 



( 12 y n \[2003/--r '-^x 





[ 200 ] Wireless Access 
Point 
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too35j This Information may also be listed Into a corresponding matrix table 
representing the spatial performance model (102, FIG. 1), an element of the 
present invention. The matrix table for the above diagram Is: 



Principal 
Direction 


Nortli 


South 


East 


West 


Position 
Index, 1 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


Ping 

Response 
Time 


0.08 


0.15 


0.11 


0.12 


.0.18 


0.14 


0.07 


0.17 


0.1 


0.05 


0.2 


0.3 


Signal To 
Noise Ratio 


0.9 


0.55 


0.7 


0.82 


0.45 


0.65 


0.86 


0.6 


0.75 


0.92 


0.4 


0,65 



[0036] This table Is logged and dynamically updated by the NMS 
periodically throughout the day, depending on the processor demands of 
the network and also on the possibility of the threat of rogue users. This 
periodic updating is perfomied as the perfonnance characteristics vary with 
the number of users logging into the networt^. For example, the networi< 
characteristics may be optimal at the eariy hours of the morning and least 
optimal during the day when the networi«'s wireless traffic is heaviest. 
These records are stored and averaged to obtain dynamic, moving 
averages for the petfomiance characteristics of each spot or island at each 
time period of the day. 

[0037] Under the present invention, the NMS may be readily configured to 
periodically collect MAC and IP addresses of users wirelessly connected to 
the system for Identification of possible rogue users. The Identification Is 
done by comparing the collected MAC and IP addresses with a reference 
set of valid addresses of authorized users. Users with addresses not on 
this reference set are considered as potential rogue users 103. 
[0038] The next step in the method of the present Invention is to analyse 
and geographically locate these potential rogue users. This step has two 
parts. First, the subnet address and hence, the nearest wireless access 
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point (AP), serving tlie rogue user is determined by performing a logical 
AND operation between the captured IP address and the subnet mask of 
the rogue user. 

[00391 The second part is to refine and determine the geographical location 
of the rogue user with reference to this, the nearest AP. To do this, the 
performance characteristics of the potential rogue user are captured 104. 
Then a ranking algorithm, an element of the present Invention, is used to 
compare the performance characteristics of the potential rogue user with 
the average of the historical reference performance characteristics pertinent 
to the time of day of detection 105. 

[0040] The algorithm nomiallzes, ranks and yields a performance index, 
representing the perfonnance characteristics of each island covered by the 
nearest AP, with that of the rogue user's. Appropriate actions may then be 
taken 106, 107. 

P041J This method of the present invention essentially locates 
geographically potential rogue users based on their perfdmiance 
characteristics which standout firom the background of moving perfonnance 
averages. 

[0042] This setup of the method of the present Invention may be 
implemented in a number of ways and two embodiments of mathematical 
operatfons are given to illustrate its application. In no way should the 
present invention be seen to be limited to these two examples as many 
other mathematical operations that achieve normalization and ranking of 
performance values to establish the closest fit may be used to implement 
this step of the method of the present invention. 
I [0043] The following example illustrates how the algorithm worths by a first 
series of mathematical operations. The two perfonnance parameters used, 
ping response time and signal to noise ratio, are only illustrative and do not 
limit the present Invention, 

[0044] Table 1 below shows the historical, average values, Pi,j of the 
selected perfonnance parameters of 12 islands around an access point for 
the time period in question 301. 
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Principal 
Direction 


Nortli 


Soutli 


East 


West 


Position 
Index, j 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


Ping 

Response 
Time, Pi. i 


0.08 


0.15 


0.11 


0.12 


0.18 


0.14 


0.07 


0.17 


0.1 


0.05 


0.2 


0.3 


Signal To 
Noise 
Ratio. P2.1 


0.9 


0.55 


0.7 


0.82 


0.45 


0.65 


0.86 


0.6 


0.75 


0.92 


0.4 


0.65 



Table 1 



[O04q And the values of the performance parameters of the rogue access 
user captured at time of day, Ci 302 are : 



Ping Response Time, Ci 


0.07 


Signal To Noise Ratio, C2 


0.88 



[0046J Subtracting to obtain the differences Ei, j for the values of each 
perfonnance parameter, i at each position index, j 303 using the fomiuia 
Em = |C,-Pr,j| , 

(where Cj is the captured perfonnance parameters of rogue user at time of 
day. Pi, j is the moving average of the performance parameters at each 
position index or island), 

we get Table 2 below. 



Principal 
Direction 


North 


South 


East 


West 


Position 
Index,! 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


El., 


0.01 


0.08 


0.04 


0.05 


0.11 


0.07 


0.01 


0.1 


0.03 


0.02 


0.13 


0.23 


E2., 


0.02 


0.33 


0.18 


0.06 


0.43 


0,?3 


0.02 


0,?8 


0.13 


0.04 


0.48 


0.23 



Table 2 
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And the minimum values for each differences 304 are: 



El mm 


0.01 




0.02 



[0047] Nonnalizing the value of each differences to obtain the rank 
numbers. Ri,j 305 using the fonnula 

R Ifj = E i.j / ( E i>j ) min, 

(where E c j mjn is the minimum for each difference), we get the rank 
numbers Ri,j in Table 3: 



Principal 
Direction 


Nortii 


South 


East 


West 


Position 
Index, j 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


Rli i 


2 


16 


8 


10 


22 


14 


1 


20 


6 


4 


26 


46 


Rai 1 


1 


16.5 


9 


3 


21.3 


11.5 


1 


14 


6.5 


2 


24 


11.5 


s, 


3 


32.5 


17 


13 


43.5 


25.5 


2 


34 


12.5 


6 


50 


57.6 



Table 3 



IPD48] Summing up the columns for each position index to obtain S, the 
sum of rank number for each position index, j 30$ . Thus S is the derived 
perfomiance Index for each island as Identified by their respective position 
indices. From the perfomiance Index S, we can obtain the island or spot 
with the lowest value, which Is the most likely location of the rogue user 
307, where 

Si =IRi.j 

i = 1 



In this example, n 



= 2, since two performance parameters were selected. 
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[0049] To practice the invention, other series of mathematical operations 
may also be used as Is Illustrated by the following second method example. 
The data In Table 1 401 Is again used In this second example. 
[0050] The values of the performance parameters are first nomnalized by 
dividing them with the smallest value for that parameter 403, 404. (From 
Table 1 , the smallest value of the parameter of ping response time is 0.05, 
and for the signal to noise ratio parameter, It is 0.4.) 
[0051] The normalized values are given in Table 4: 



Principal 
Direction 


North 


South 


East 


.West 


Position 
Index, j 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


Ping 

Response 
Time, 

normalised 


1.6 


3 


2.2 


2.4 


3.6 


2.8 


1.3 


3.4 


2 


1 


4 


6 


Signal To 
Noise Ratio 

nonmaKsed 

P2.1 


2.25 


1.38 


1.75 


2.05 


1.13 


1.63 


2.15 


1.5 


1.86 


2.3 


1 


1.63 



Table 4 



[0052] The captured performance parameters of rogue user, Ci are then 
divided by the smallest value 403 to obtain normalized values 405 as 
tabulated below: 



Ping Response Time, 

norniaHsed 


1.4 


Signal To Noise Ratio, 

normatised 

C2 


2.2 



[0053] The differences are calculated for each spot or island 406 by 
subtracting the normalized captured perfonnance parameter value of rogue 
user and the nomialized values of spatial performance model and these are 
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summed 407 to obtain the value of S, the peifomiance Index for each spot 
or Island. The results are given in Table 5: 



Principal 

Direction 


North 


South 


East 


West 


Position 
Index, j 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


nonmaiisea 


0.2 


1.6 


0.8 


1 


2.2 


1.4 


0.1 


2 


0.6 


0.4 


2.6 


4.6 




0.05 


0.83 


0.45 


0.15 


1.08 


0.58 


0.05 


0.7 


0.33 


0.1 


1.2 


0.58 




0.25 


2.43 


1.25 


1.15 


3.28 


1.98 


0.15 


2.7 


0.93 


0.5 


3.8 


5.16 



Table 5 



[0054] By this second method example, the most probable Ideation of the 
rogue user is given by the island or spot with the smallest perfonnance 
index (S value) 408, which, in this case is location number (or position 
index) 7. 

[oosq Thus, no matter the number of possible mathematical methods used 
for deriving the perfonnance indices of the islands and that for rogue users, 
the same or substantially the same method is used to for both the islands 
and for the rogue users. 

[posq Upon determining the location by the methods of the present 
Invention, immediate anival at the spot or island by the network 
administration or law enforcement staff may allow photographic evidence of 
the intrusion as well as the likeness of the rogue user to be captured for 
identification purposes. The measures taken after detection and 
determination of the rogue user's geographical location of course depend 
on the prevailing laws of the land. 

[0057] Thereafter, the location and perfonnance characteristics of the rogue 
user may be recorded and flagged for tracking. In addition, predetennined 
isecurity measures such as denial of access, warnings and prosecution may 
be effected according the user's organizational security and computer 
usage polides. 
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[0058] A person skilled In the art will appreciate that the method of the 
present invention Is to first map the areas covered by the various wireless 
access point of the computer network. Thereafter, the network perfonnance 
characteristics of each location spot sharing substantially the same 
characteristics, are detennlned by aggregating various networi< 
perfonnance parameters to obtain background values and to establish the 
spatial performance model of the present invention. As shown by the 
examples given, this aggregation may be obtained by a number of 
mathematical operations which all yield the same objective: to derive a 
performance index that reveals the most probable geographical location of 
the rogue user. 

posd] In the techniques of the prior art, any rogue user accessing the 
networi? may be Identified by his MAC and IP addresses. However, the 
spatial performance model of the present invention may then be used to 
locate him by matching the perfonnance characteristics of his computer 
with tfiat of the island or spot with the same or substantially the same 
perfonnance characteristics. 

[0060] The person skilled In the art will also recognise that the algorithm of 
the present Invention may be readily represented by various equivalent 
mathematical operations and Implemented in a variety of programming 
languages or routines, to be linked to the NMS so that the present invention 
may be implemented and practiced. 

[0061] Thus, to enable the Invention to be practiced, a person skilled in the 
art will appreciate the minimum physical embodiment of the present 
invention consist of a computer networic with at least one wireless access 
point, at least one processor, at least a network management system, at 
least one storage means and at least one Implementation of the algorithm 
of the present invention. By implementing the algorithm of the present 
system in such a computer network, rogue users may be located without 
having any of the network's staff having to be physically in the vicinity of the 
rogue user to locate him, unlike the limitations of the prior art. Other 
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variations and embodiments of the present invention will be under the 
present invention. 

[0062] The present invention therefore provides a method, an algorithm and 
a system for detecting and geographically locating rogue access users to a 
wireless computer hetwori< that overcomes, or at least alleviates, the 
limitations of the prior art. 

[0063] It will be appreciated that although one preferred embodiment has 
been described in detail, various modifications and improvements can be 
made by a person skilled in the art without departing firom the scope of the 
present Invention. 



